The Identity Model is a claims-based authorization system. Claims describe the capabilities associated with some entity in the system, often a user of that system. The set of claims associated with a given entity can be thought of as a key. The particular claims define the shape of that key; much like a physical key is used to open a lock in a door. In this way, claims are used to gain access to resources. Access to a given protected resource is determined by comparing the claims required to access that resource with the claims associated with the entity that attempts access.

A claim is the expression of a right with respect to a particular value. A right could be read, write, or possess. A value could be a database, a file, a mailbox, or a property. Claims also have a claim type. The combination of claim type and right provides the mechanism for capabilities being specified with respect to the value. For example, a claim of type file with the right read over the value biography.doc indicates that the entity with such a claim has read access to the file biography.doc. A claim of type name with the right PossessProperty over the value Martin indicates that the entity with the claim possesses a Name property with the value Martin.

Although various claim types and rights are defined as part of Identity Model, the system is extensible. The various systems building on top of the Identity Model infrastructure can define claim types and rights as required.

' Run this method from within a method protected by the PrincipalPermissionAttribute ' to see the security context data, including the primary identity. PublicSub WriteServiceSecurityContextData(ByVal fileName AsString)
Dim sw AsNew StreamWriter(fileName)
Try' Write the primary identity and Windows identity. The primary identity is derived from the ' the credentials used to authenticate the user. The Windows identity may be a null string.
sw.WriteLine("PrimaryIdentity: {0}", ServiceSecurityContext.Current.PrimaryIdentity.Name)
sw.WriteLine("WindowsIdentity: {0}", ServiceSecurityContext.Current.WindowsIdentity.Name)
sw.WriteLine()
' Write the claimsets in the authorization context. By default, there is only one claimset ' provided by the system. Dim claimset As ClaimSet
ForEach claimset In ServiceSecurityContext.Current.AuthorizationContext.ClaimSets
Dim claim As Claim
ForEach claim In claimset
' Write out each claim type, claim value, and the right. There are two ' possible values for the right: "identity" and "possessproperty".
sw.WriteLine("Claim Type = {0}", claim.ClaimType)
sw.WriteLine(vbTab + " Resource = {0}", claim.Resource.ToString())
sw.WriteLine(vbTab + " Right = {0}", claim.Right)
Next claim
Next claimset
Finally
sw.Dispose()
EndTryEndSub